1. Field of the Invention
This application relates to the field of digital data communication, more particularly to the field of using extranets to access data in connection with digital data communication.
2. Description of the Related Art
The proliferation of computers in the workplace has led to the development of several distinct types of networks. The Internet, perhaps the most widely familiar of these, allows public access to a tremendous amount of information scattered around the world. Intranets, on the other hand, are networks whose access is generally limited to on-site users at a business or other institution, although dial-up access is often available. Intranets may be used for storing data and files, for interoffice electronic communications, and for other support functions. Access may be limited to the employees of the business or institution. Virtual private networks, or VPNs, have evolved as a means of allowing employees to access their intranet from remote locations, via an internet connection, for example.
None of these methods adequately addresses the need for a company to allow other businesses to access and interact with the company""s data under certain constraints. The Internet, for example, permits access by the public, and therefore poses security risks for sensitive information. Although intranets are more secure, having access limited to designated users only, an intranet often contains information to be held private by one business; currently, restricting access to various portions of an intranet to particular users can become unwieldy, often resulting in a multitude of passwords, each being used to obtain access a different area of an intranet. Conventional VPNs, which simply offer remote access to an intranet, do not adequately address this issue in all instances where this feature might be desirable.
To meet these needs, extranets have been developed. An extranet is a private network that uses the Internet protocols and the public telecommunication system to securely share part of a business""s information or operations with suppliers, vendors, partners, customers, or other businesses. An extranet can be viewed as part of a company""s intranet that is extended to users outside the company. However, existing extranet technologies suffer from a number of deficiencies. For example, as described for intranets above, it may be difficult or cumbersome to reserve access to portions of an intranet to a subset of users. Furthermore, security provisions, such as user identification systems and document certification and verification techniques, have not fully been implemented in a manner that meets the needs of all potential extranet users. Thus, existing extranets may not provide the layered, secure functionality required by modern businesses.
The systems and methods described herein relate to providing secure access and transactions using an extranet. In certain embodiments, digital certificates are used to regulate access and authenticate transactions. For example, in one embodiment, the systems and methods described herein relate to an access system for a computer site, including a certificate authentication component to verify a user""s identity from a digital certificate supplied by the user, a directory coupled to the certificate authentication component to store information representative of a plurality of users including an access policy for each user, and an access control system coupled to the directory to restrict access to the user based on the access policy associated with the user in the directory. In certain embodiments, the access policy includes information representative of a portion of the computer site to which the user is permitted access. In certain embodiments, the system also includes a certificate authority component coupled to the certificate authentication component to issue digital certificates to the user. In certain embodiments, the system also includes a log system coupled to the certificate authentication component to record the user""s actions in the computer site. In certain embodiments, the computer site is an extranet.
In certain embodiments, the system includes a transaction authentication system coupled to the certificate authentication component to provide verified records of transactions performed using the computer site. In certain embodiments, the transaction authentication system includes a digital signing module for validating transactions.
The systems and methods described herein further provide a method of regulating access to a computer site by receiving from a user a request to access a computer site or a portion thereof, receiving information representative of the user""s identity, consulting a directory containing information representative of a plurality of users, said information including an access policy for each user, to determine whether the user is permitted to access the computer site or portion thereof, and granting or denying access to the user according to the access policy for the user. Consulting a directory may include checking the access policy to determine a portion of the computer site to which the user is permitted access. Receiving a request may include receiving a URL address for a site within the computer site. Receiving information representative of the user""s identity may include receiving a password, a retinal scan, a fingerprint, a digital certificate, or a document capable of being decrypted by a public key.
In yet another aspect, the systems and methods relate to an access system for a computer site, including means for verifying a user""s identity from a digital certificate supplied by the user, means for storing information representative of a plurality of users, said information including an access policy for each user, and means for restricting access to the user based on the access policy associated with the user in the means for storing information. In certain embodiments, the means for storing information includes information representative of a portion of the computer site to which the user is permitted access. In certain embodiments, the system further includes means for issuing digital certificates to the user. In certain embodiments, the system includes means for recording the user""s actions in the computer site. In certain embodiments, the system also includes means for storing verified records of transactions performed using the computer site.